Security researchers David Huang
and Collin Jackson of Carnegie Mellon University
CyLab (Silicon Valley campus) reported that the type
attribute of an <object> tag can override the charset of a
framed HTML document, even when the document is included across
origins. A page could be constructed containing such an
<object> tag which sets the charset of the framed document to
UTF-7. This could potentially allow an attacker to inject UTF-7
encoded JavaScript into a site, bypassing the site's XSS filters, and
then executing the code using the above technique.